Follow this blog Administration + Create my blog
Cisco & Cisco Network Hardware News and Technology

How to Trace a Layer 2 Path on Cisco Nexus Switches?

August 31 2012 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Wireless - Cisco Wireless AP

Ever been stuck trying to figure out the exact switching path that packets take through your network? Me too. Here’s how I solved the problem without fancy Layer 2 traceroute tools.


I’ve recently been working in a data center environment with Nexus 7000 and 5000 switches in the core. The core is almost completely Layer 2, with most routing pushed to the distribution layer. During the first week, we ran into a problem forwarding jumbo frames. Some vlans that used jumbo frames worked fine, but one vlan simply wouldn’t work. The network team went to some effort to prove our innocence, and there was the usual veiled finger-pointing by everyone else, “I’m not saying it’s a network problem, but…” Yeah, yeah, we know: the network is assumed guilty until proven innocent.


In my experience, troubleshooting jumbo frames begins simply. Either every device in the forwarding path allows jumbo packets, or they don’t. If just one interface in the path doesn’t allow jumbo frames, the conversation breaks. So the crucial first question is “what is the path?”


In a routed environment, this would be a no-brainer: traceroute would have your answer. But this is a Layer 2 environment. What I needed was a layer 2 traceroute tool. Turns out Cisco does offer a Layer 2 traceroute utility for IOS on both the Cisco 7600 series routers and Catalyst 3560 series switches. It’s been around since 12.2(18) and you can use either MAC address or IP address to run the trace.


However, it didn’t work in NX-OS. And I did try. Several times. Just to be sure.


So, what was left was a manual Layer 2 trace, which means manually searching through the mac address-tables. Kind of cumbersome, but still doable. It was going to be tricky though, since the core switches were using both port-channels and virtual port-channels. The command mac address-table alone was not going to cut it, as sometimes the switch would see the MAC address over a port-channel, and I’d need to know which interface in the port channel had forwarded the packet.


However, before jumping in, I needed the source and destination MAC addresses, as well as source and destination IP address (more on this later). Once the sever team provided all these, I began by finding the exact source switch and interface:


sh mac address-table | inc AAAA.AAAA.AAAA

SWITCH-A# sh mac address-table | inc AAAA.AAAA.AAAA

   VLAN     MAC Address      Type      age  Secure NTFY   Ports


* 200      AAAA.AAAA.AAAA    dynamic   10      F    F     Eth101/1/2


Once the originating switch and port was identified, I could begin looking for the path to the destination. On the source switch, I ran:

sh mac address-table | inc BBBB.BBBB.BBBB


SWITCH-A# sh mac address-table | inc BBBB.BBBB.BBBB

   VLAN     MAC Address      Type      age  Secure NTFY   Ports


* 200      BBBB.BBBB.BBBB    dynamic   10      F    F     Po1


Guess what? The MAC was found on a port-channel. So, to find the physical interfaces included in that port-channel, I ran:

show port-channel summary

SWITCH-A# sh port-channel sum

Flags:  D - Down        P - Up in port-channel (members)

        I - Individual  H - Hot-standby (LACP only)

        s - Suspended   r - Module-removed

        S - Switched    R - Routed

        U - Up (port-channel)

        M - Not in use. Min-links not met


Group Port-Channel  Type     Protocol  Member Ports


1     Po1(SU)       Eth      LACP       Eth1/1(P)    Eth1/2(P)


This showed which physical interfaces each port-channel contains. With this, I looked in the CDP neighbor table to see which neighbor these interfaces connect to.

show cdp neighbor

SWITCH-A# sh cdp ne

Capability Codes: R - Router, T - Trans-Bridge, B - Source-Route-Bridge

 S - Switch, H - Host, I - IGMP, r - Repeater,

 V - VoIP-Phone, D - Remotely-Managed-Device,

 s - Supports-STP-Dispute

Device-ID Local Intrfce Hldtme Capability Platform     Port ID


          Eth1/1        125    S I s      N5K-C5548    Eth1/1


          Eth1/2        128    S I s      N5K-C5548    Eth1/2

Turns out the two physical interfaces connect to two different neighbors. Why? Virtual Port-Channel. This is where things get a little tricky.


I needed to figure out which physical interface is actually forwarding the packets, since they lead to different switches. I had no clue which command would accomplish this.  Fortunately, Cisco TAC did know.


sh port-channel load-balance forwarding-path int port-channel 1 vlan 101 src-ip dst-ip


This command is full of options, and if you question-mark your way through it, you can tweak it a variety of different ways. Remember the source and destination IPs? This is where you’ll use them. The output shows which physical interface the packets are taking, as well as which load-balanceing algorithm the port-channel is using. In this case, it was just using source and destination IP only.


SWITCH-A# sh port-channel load-balance forwarding int port-channel 1

          vlan 140 src-ip dst-ip

Missing params will be substituted by 0's.

Load-balance Algorithm on switch: source-dest-ip

crc8_hash: 11 Outgoing port id: Ethernet1/2

Param(s) used to calculate load-balance:



dst-mac: 0000.0000.0000

src-mac: 0000.0000.0000


With the physical interface info, I could correlate with the CDP neighbors table, and find which neighbor to check next.


I moved to the next switch, repeated the whole process, moved to the third, ran the procedure again, moved on yet again … sigh. Eventually, the MAC address-table entry didn’t point to a CDP neighbor, but instead pointed to a single physical interface with only one MAC address in the MAC address-table.


At last. I’d found the full, one-way Layer 2 path.


At this point, it would be easy assume that the return path is symmetrical, and call it a day. But in this case, given how much everyone else had already worked on it (with no success), my hunch said the traffic followed an asymmetrical return path. So, once again into the CLI, I repeated everything until I returned to the source. Sure enough, one device on the different return path was not configured for jumbo frames – problem found. One maintenance window later, problem solved.


All told, this procedure took about an hour. But with some Layer 2 traceroute tool, it would have taken about 5 minutes. This is a great opportunity for Cisco to expand the Layer 2 traceroute to NX-OS, especially since the Nexus line goes into the core of many large networks. Maybe even some enterprising startup with mad programming skills could develop an app with a Cisco API that would spider through all these tables and display the path. No doubt the big monitoring packages like What’s UP Gold or HP OpenView or Cisco Prime already do it, but how about a scaled-down version for the rest of us?


---Original reading from http://packetpushers.net/tracing-a-layer-2-path-on-cisco-nexus-switches/

More Cisco Switch Tips:

Why Does the Nexus Core Switch Rock in the Datacenter?

Microsoft Hyper-V: What It Means for Cisco Nexus 1000v

Layer 2 Switches & Layer 3 switches

Cisco Catalyst 6000/6500, Aim at Enterprise Network & Service Provider Networks

Read more

Frame Relay Switch Configuration-CCNA Certification Training

August 27 2012 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Certification - CCNA - CCNP - CCIE

A Cisco Lab Case Study---Many CCNA certification candidates want to add a frame relay switch to their Cisco router lab, but aren't quite sure how to configure one.


Other candidates aren't quite sure what frames relay switch is, or what Cisco routers can serve as such a switch. This CCNA case study will examine how to add one of these pivotal devices to a Cisco lab.


A Cisco lab's frame relay switch is not a switch at all; it's a Cisco router. Almost any Cisco router can serve as your frame switch, but you will need multiple serial interfaces to make a router particularly effective in this role.


I recommend you get a Cisco router with at least four serial interfaces. Cisco 2520s makes excellent frame switches, and by doing a search on eBay for "frame relay switch", you'll quickly find several others that can as well.


The frame relay switch is going to play the role of the frame provider in your lab. In essence, you've got a one-switch frame relay cloud, which gives you a tremendous opportunity to practice frame relay scenarios.


In this example, I've got three Cisco routers that are going to be the production routers in my lab - R1, R2, and R3. I have a fourth router that will serve as the frame relay switch. The DLCI assignments I've come up with are as follows:

  • R1 is the hub and will use DLCI 122 to reach R2, DLCI 123 to reach R3.
  • R2 is a spoke router and will use DLCI 221 to reach both R1 and R3.
  • R3 is a spoke router and will use DLCI 321 to reach both R1 and R2.


The physical connections are as follows. All connections are using DTE/DCE cables with the DCE end of the cable connected to the frame relay switch.

  • R1 is connected to the frame switch's Serial1 port.
  • R2 is connected to the frame switch's Serial2 port.
  • R3 is connected to the frame switch's Serial3 port.


On the frame switch, the global command frame-relay switching is required to make the router act as a frame relay switch. Let's take a look at the commands we'll need on the frame switch's Serial1 port, which is connected to R1.

interface Serial1
 no ip address
 encapsulation frame-relay
 logging event subif-link-status
 logging event dlci-status-change
 clockrate 56000
 no frame-relay inverse-arp
 frame-relay intf-type dce
 frame-relay route 122 interface Serial2 221
 frame-relay route 123 interface Serial3 321

Note that there is no IP address on the port, and frame relay encapsulation is enabled. The clockrate command is necessary on the DCE end of the connection, so you see it here.


You also see that the interface is hard-coded as a DCE with theframe-relay intf-type dce command. Not all current IOS versions require this; just make sure you have the DCE end of the cable attached to the frame switch and verify that with show controller serial x.


Finally, we come to the frame-relay route command. The syntax seems a little tricky, but once you break it down it's pretty simple.

  • frame-relay route 122 = the incoming DLCI
  • interface serial2 = data coming in on DLCI 122 is sent out this port
  • 221 = data sent out interface serial2 will use this DLCI


Getting those statements correct is the hardest part of configuring your frame relay switch. The good part is that once you have your frame switch configured and working properly, you can just leave the configuration there.


We'll take a look at how to verify your frame switch configuration in just a moment, but first, let's review the important section of the frame switch configuration we've talked about here.

ip subnet-zero
no ip domain-lookup
frame-relay switching
interface Ethernet0
 no ip address
 no ip directed-broadcast
interface Serial0
 no ip address

interface Serial1
 no ip address
 no ip directed-broadcast
 encapsulation frame-relay
 logging event subif-link-status
 logging event dlci-status-change
 clockrate 56000
 no frame-relay inverse-arp
 frame-relay intf-type dce
 frame-relay route 122 interface Serial2 221
 frame-relay route 123 interface Serial3 321

interface Serial2
 no ip address
 no ip directed-broadcast
 encapsulation frame-relay
 logging event subif-link-status
 logging event dlci-status-change
 clockrate 56000
 no frame-relay inverse-arp
 frame-relay intf-type dce
 frame-relay route 221 interface Serial1 122

interface Serial3
 no ip address
 no ip directed-broadcast
 encapsulation frame-relay
 logging event subif-link-status
 logging event dlci-status-change
 clockrate 56000
 no frame-relay inverse-arp
 frame-relay intf-type dce
 frame-relay route 321 interface Serial1 123


To verify that your frame relay configuration is functioning correctly, run the global command show frame route on the frame relay switch. If you see active next to all frame routes as shown below, you're in good shape.

Show Frame Route

If you see anything else - say, the word "inactive" - then there is a problem.


Troubleshooting A Frame Relay Switch

The key to troubleshooting your frame switch is that you cannotconcentrate on the frame switch's config. You can get that part perfect, but if you're using other DLCIs on your routers or there's a physical issue - perhaps you forgot to open some interfaces - you're not going to get the active frame routes you want.


Just make sure you're got all the appropriate interfaces open, don't forget the clockrate and frame-relay route commands on the frame switch, and you'll successfully add this important device to your Cisco lab!

More Frame Relay Switch Configuration Tips:

How to Configure Cisco Routers as Frame Relay Switch (FRS)?

Read more

Cisco ASA 8.3, 8.4 Hairpinning NAT Configuration

August 24 2012 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

Cisco ASA configuration may be a frustrating issue for many Cisco users. In fact, everyone has his own troublesome condition. Here Ethan Banks, a network engineer, share his experience of helping his VPN client access a remote office, as well as an example of Cisco ASA 8.3, 8.4 Hairpinning NAT Configuration.


Let’s share the case:

“I ran into an issue over the weekend where a VPN client was unable to access a remote office connected via an L2L tunnel terminated on the same firewall. The symptoms were straightforward enough. The client was unable to either ping or open a URL at a specific server at the remote office, although this connectivity used to work. In this example, VPN client was not able to access server, although access to resources in the network was fine.


I confirmed the remote office firewall was unlikely to be the issue; the remote firewall had seen no changes. As I knew the headquarters Cisco ASA firewall HAD seen a few changes, that’s where I focused my attention. After reviewing the headquarters firewall rulebase, I knew that the VPN client IP pool had permission to access resources in the remote office.


Monitoring the firewall logs, I spotted several “110003: Routing failed to locate next-hop for protocol from src interface:src IP/src port to dest interface:dest IP/dest port” messages tied directly to the VPN client trying to open a socket to So, I reviewed the firewall routing table with “show route” and “show asp table routing” and found no issues…not that I expected to. If the routing table was having a problem, connectivity issues would have been more widespread.


Of course, NAT sprung to mind as a potential issue, but I couldn’t see an obvious problem. There was a NAT that exempted the entire VPN client pool from being translated to any RFC1918 destinations. As this clearly covered the remote office IP range, I was a little stumped. This confusion was compounded by the fact that the connectivity used to work. A perplexing issue.


Take a read Cisco ASA 5500 Series Configuration Guide using the CLI, 8.4 and 8.6-Setting General VPN Parameters. A couple of highlights caught my eye:

  • The “same-security-traffic permit intra-interface” is required. Fair enough, easy to implement, makes sense, and I’d already done that. No problem.
  • Now the documentation got confusing because of two conflicting statements:
  1. “When the ASA sends encrypted VPN traffic back out this same interface NAT is optional. The VPN-to-VPN hairpinning works with or without NAT.” Okay – so I don’t need to write a NAT statement for the hairpinned traffic. NAT is optional, right? But then you next read…
  2. “To exempt the VPN-to-VPN traffic from NAT, add commands that implement NAT exemption for VPN-to-VPN traffic.” Uh, hang on. So I *do* need a NAT statement?


From my experience, I believe that, yes, you need a NAT exemption statement. I think all Cisco is trying to say is that you don’t have to actually translate the source or destination address into something else to be able to get through the hairpin.


Writing a NAT exemption statement is not an unusual thing to have to do in an ASA, but the magic in the context of hairpinning is in defining the ingress and egress interfaces. In a hairpin path, the traffic flows in and out the same interface. While I did have a NAT statement that matched source and destination addresses in question, the interfaces were only suitable for handling source VPN client to destination headquarters network traffic…not traffic headed from VPN client to the remote office network. Therefore, I needed a NAT statement like this: “nat (outside,outside) source static client_vpn_pool client_vpn_pool destination static remote_office_net remote_office_net“.


The order of the NAT statement also mattered, as NAT statements are processed in order. Once I moved my new NAT statement to the top of the list, the issue was resolved.”


More Related Cisco Contents http://blog.router-switch.com/category/cisco-certification/ccie/

Read more

Vlan and VTP Practice Questions

August 23 2012 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Certification - CCNA - CCNP - CCIE

1: You are creating a report recommending the use of VLANs in your network. Which of

the following features are provided by VLANs? (Choose three.)

A. Segmentation

B. Flexibility

C. Logging

D. Security


2: Which of the following statements regarding VLANs is true?

A. A VLAN is a physical broadcast domain spanning multiple logical subnets.

B. A VLAN is a logical broadcast domain spanning multiple physical subnets.

C. A VLAN is a logical broadcast domain spanning multiple logical subnets.

D. A VLAN is a physical broadcast domain spanning multiple physical



3: On which of the following devices can you implement VLANs?

A. Bridges

B. Routers

C. Hubs

D. Switches


4: Which of the following allows a port to carry traffic for multiple VLANs?

A. Port spanning                    

B. A trunk

C. Fast Ethernet

D. Split horizon


5: Which of the following are membership modes supported by VLANs? (Choose two.)

A. Public

B. Private

C. Static

D. Dynamic


6: You need to configure a VLAN Management Policy Server. Which of the following

switches can fill this role? (Choose two.)

A. Catalyst 1924

B. Catalyst 2950

C. Catalyst 5000

D. Catalyst 6509


7: Which piece of information is used by a VLAN Management Policy Server to

dynamically assign a port to a VLAN?

A. Source IP address

B. Source hostname

C. Source MAC address

D. Source port


8: Which of the following statements about VLAN Membership modes are correct?

(Choose two.)

A dynamic port can belong to multiple VLANs at once

B. Multiple hosts from different VLANs can be active on a dynamic port.

C. The Catalyst switch queries a VMPS when a frame arrives on a dynamic


D. The VMPS contains a database mapping MAC address to VLAN



9: Which of the following technologies are methods to implement trunking? (Choose two.)

A. 802.1Q



D. IEEE 1394


10: In 802.1Q trunking, what is the default native VLAN ID?




D. There is no default VLAN ID.


11: Which of the following statements about 802.1Q frame tagging are correct? (Choose


A. The 802.1Q protocol tags frames for the native VLAN.

B. The 802.1Q protocol doesn't tag frames for the native VLAN.

C. Tagged frames can be read by ordinary stations.

D. Tagged frames cannot be read by ordinary stations.


12: Adding a tag recomputes which portion of the 802.1Q frame?


B. Source

C. Data



13: Which of the following are characteristics of ISL? (Choose three.)

A. Vendor interoperability

B. Supports full-duplex

C. Supports half-duplex

D. Trunking

E. Encryption

F. Authentication


14: ISL functions at which layer of the OSI Model?

A. Physical layer

B. Data-link layer

C. Network layer

D. Session layer


15: What does ISL use to confirm that a frame has not been damaged during transit?


B. Digital signature

C. Data integrity



16: The VTP functions at which layer of the OSI Model?

Physical layer

B. Data-link layer

C. Network layer

D. Session layer


17: Which of the following is the primary function of VTP?

A. Encryption

B. Authentication

C. Pruning

D. Messaging


18: How many VTP domains can a switch be configured in?

A. 1

B. 64

C. 255

D. Unlimited


19: Which of the following are modes under which VTP operates? (Choose three.)

A. Server

B. Client

C. Peer

D. Transparent

E. Static

F. Dynamic


20: You have installed a Catalyst switch in your network. Which VTP mode is it operating

in by default?

A. Server

B. Client

C. Peer

D. Transparent

E. Static

F. Dynamic



1. A, B, D   2. B   3. D   4. B   5. C, D   6.  C, D   7.  C   8.  C, D   9.  A, C   10. B

11. B, D   12. D   13. B, C, D   14. B   15. A   16. B   17. D   18. A   19. A, B, D   20. A


More VTP Info and Tips:

VLAN Trunking Protocol (VTP) & VTP Modes

Read more

What are Private VLANs?

August 16 2012 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Certification - CCNA - CCNP - CCIE

Private VLANs is a method to segment devices at layer 2 that are in the same IP network. Different VLANs are used but they share a common IP network.


The most common scenario for a private VLAN is a residential network where customers connect to a switch provisioned by the ISP and the ISP wants to provision only one subnet but the customers should not be able to reach each other at layer 2.

The reason to disallow layer two intercommunication is for security, to prevent someone from interfering or eavesdropping on another customer’s traffic. Another scenario could be a hosting environment where servers are connected to a switch and a common VLAN is used instead of provisioning one VLAN for every new customer.


PC’s in the grey VLAN can only communicate with each other and the router. The same goes for the PC’s in the green VLAN. PC’s in the blue VLAN can ONLY communicate with the router not with each other. The picture shows only one PC but if there was another PC it would not be able to communicate with the other PC in the same VLAN.


Some of the building Blocks of Private VLANs.

Types of VLAN:

Primary VLAN – The VLAN that is used for receiving traffic from the device connected to the promiscous port.

Community VLAN – Everybody that is located in a community VLAN may communicate with others in the same
community VLAN and with the primary VLAN but not with other VLANs.

Isolated VLAN – Can only reach the device on the promiscous port, can not reach any other devices.


Types of Ports:

Promiscous port – A port that is connected to the primary VLAN where a promiscous device is connected. This device will route traffic between the different VLANs. Requires mapping between primary VLAN and all secondary VLANs.

Host port – Hosts are connected to host ports, requires a association between the secondary VLAN in use on the port and the primary VLAN.


It shows the traffic flow.


When communicating in the same community VLAN the traffic forwarding is direct (layer 2) but it traffic is sent between different secondary VLANs the traffic must pass through the router which allows us to do packet filtering at layer 3 and it also means that ARP cannot be sent directly between hosts even though they are in the same IP subnet. The arrows from the PC in the blue VLAN to the PC in the black VLAN shows the traffic flow with numbering. First the PC in the blue VLAN sends a packet, this packet is always source with the VID from the secondary VLAN. The router receives the traffic and if no filtering is done it sends the packet out sourcing with the primary VLAN. The PC in the black VLAN receives the packet from the primary VLAN and sends it response with its secondary VLAN. Finally the router sends the packet back to the blue VLAN with the VID of the primary VLAN.


What needs to be configured? Starting with the VLAN configuration. The scenario is that there are two switches connected by a trunk and routers are connected to the switchports (INE topology).

vlan 100
  private-vlan primary
  private-vlan association 1000,2000,3000
vlan 1000
  private-vlan community
vlan 2000
  private-vlan community
vlan 3000
  private-vlan isolated


We create the VLANs and configure them to be primary, community or isolated. The primary VLAN needs to know the secondary VLANs it should be be associated to. Next is the interface configuration.

interface FastEthernet0/1
 switchport private-vlan mapping 100 1000,2000,3000
 switchport mode private-vlan promiscuous
interface FastEthernet0/3
 switchport private-vlan host-association 100 1000
 switchport mode private-vlan host
interface FastEthernet0/5
 switchport private-vlan host-association 100 2000
 switchport mode private-vlan host


One port is configured as promiscous and the others as hosts. The host ports with secondary VLANs need to know what primary VLAN is used and the promiscous port needs to know what the secondary VLANs are.


Show vlan private-vlan will show what has been configured.

SW1#show vlan private-vlan
Primary Secondary Type              Ports
——- ——— —————– ——————————————
100     1000      community         Fa0/1, Fa0/3
100     2000      community         Fa0/1, Fa0/5
100     3000      isolated          Fa0/1


We also need configuration for SW2.

vlan 100
  private-vlan primary
  private-vlan association 1000,2000,3000
vlan 1000
  private-vlan community
vlan 2000
  private-vlan community
vlan 3000
  private-vlan isolated
interface FastEthernet0/2
 switchport private-vlan host-association 100 1000
 switchport mode private-vlan host
interface FastEthernet0/4
 switchport private-vlan host-association 100 2000
 switchport mode private-vlan host
interface FastEthernet0/6
 switchport private-vlan host-association 100 3000
 switchport mode private-vlan host


Show interface switchport will show how the port is configured.

SW1#show interfaces f0/1 switchport
Name: Fa0/1
Switchport: Enabled
Administrative Mode: private-vlan promiscuous
Operational Mode: private-vlan promiscuous
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: 100 (PRIMARY) 1000 (COMMUNITY_1) 2000 (COMMUNITY_2) 3000 (ISOLATED)
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan:
  100 (PRIMARY) 1000 (COMMUNITY_1) 2000 (COMMUNITY_2) 3000 (ISOLATED)
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none


Let’s try the configuration, we will start at R1 which is on the promiscous port and see if it can ping R2-R6.

R1#ping re 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to, timeout is 2 seconds:
Reply to request 0 from, 4 ms
Reply to request 0 from, 4 ms
Reply to request 0 from, 4 ms
Reply to request 0 from, 4 ms
Reply to request 0 from, 4 ms


As expected we can ping all the devices. R2 should only be able to ping R3 and R1.

R2#ping re 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to, timeout is 2 seconds:
Reply to request 0 from, 4 ms
Reply to request 0 from, 4 ms


Working as expected. R6 should only be able to ping R1 since it is in an isolated VLAN.

R6#ping re 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to, timeout is 2 seconds:
Reply to request 0 from, 4 ms


The configuration is working. What if we want to create a SVI in one of the switches? This is the configuration.

SW1(config)#int vlan 100
SW1(config-if)#ip add
SW1(config-if)#no sh


Let’s try to ping.

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 0 percent (0/5)


Why can’t we ping R2? We have no mapping to the secondary VLAN!

SW1(config)#int vlan 100
SW1(config-if)#private-vlan mapping 1000
*Mar  1 01:08:47.983: %PV-6-PV_MSG: Created a private vlan mapping, Primary 100, Secondary 1000
*Mar  1 01:08:49.267: %SYS-5-CONFIG_I: Configured from console by console

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 0 percent (0/5)
SW1#sh run int vlan 100
Building configuration…
Current configuration : 88 bytes
interface Vlan100
 ip address
 private-vlan mapping 1000


Still no success, why?

SW1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
SW1(config)#ip routing
*Mar  1 01:14:26.858: %SYS-5-CONFIG_I: Configured from console by console
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms


IP routing was needed! If you need to find documentation of Private VLANs, please visit Cisco.com. Here you find it:

Support -> Configure -> Products -> Switches -> LAN Switches -> Access -> Cisco Catalyst 3560 Series Switches -> Configuration Guides -> Catalyst 3560 Software Configuration Guide, Release 12.2(52)SE -> Configuring Private VLANs


Reading from http://lostintransit.se/2011/03/07/private-vlans/

More Private VLANs Details and Configuration Tips

How Private VLANs Work?

How to Configure Private VLANs on Cisco 3560 Switches?


Read more

Cisco Readying the New Nexus 3500 Switch

August 13 2012 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

Nexus 3500 will feature ultra-low latency, target Infiniband

Cisco has another Nexus Ethernet data center switch in the works, this one with ultra-low latency and a more formidable rival to Infiniband.Cisco-Nexus-Switches.jpg


Details on the Nexus 3500 are unavailable. Cisco wouldn't discuss it when asked about an online adseeking a software engineer for it.


"This is to be announced later," a Cisco spokesperson e-mailed. "No details to share yet."


Sources, however, say the Nexus 3500 will feature 250 nanosecond port-to-port latency and integrated network address translation. They say it will give Infiniband a run for the money, especially when combined with a new NIC from Cisco called usNIC.


"If this product does come out with latency as stated, it will dominate the silicon industry slamming down on Broadcom and more importantly Fulcrum," the source says. "But also compete with Mellanox and close the gap with Infiniband. Cisco will be untouchable in ultra-low latency switching."


RedHat has apparently run tests of usNIC with its MRG-M high performance computing software. Slides 16-18 of this presentation appear to show performance improvements of MRG-M when running usNIC vs. Infiniband.


Red Hat was not immediately available for comment. But our source said it, along with the Nexus 3500, could be a viable alternative to Infiniband.


"That, combined with this new Nexus 3500 having 250ns latency would be a compelling solution against Infiniband," the source said. "If Cisco launches Nexus 3500 in the next few months and combines usNIC in the launch it will finally be the first Ethernet solution that can compete against (Infiniband)...(and) shows Cisco intent to kill Infiniband with Ethernet."


Mellanox is a leading Infiniband networking vendor. Requests to the company for comment were not answered by posting time.


Cisco currently offers the Nexus 3000 line for low-latency, top-of-rack switching targeted at high-frequency financial trading, as well as the Nexus 7000, 5000 and 2000 lines for data center fabric switching.

---Reading resource from networkworld.com


More Cisco Nexus Switch Tips & News:

Why Does the Nexus Core Switch Rock in the Datacenter?

Doc Sharing: How to Migrate from Catalyst to Nexus?

Read more

Using the Ping Command In The Cisco IOS

August 10 2012 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Routers

The ping command is irreplaceable when it comes to troubleshooting. At some point, you will undoubtedly use this command to solve a networking problem. But how do you properly use this command in the Cisco IOS?


The Basics of Ping

The ping command works just like on those old submarine movies. You are on one network device and you “ping” another. When you do this, in your head think of the sound that you heard on those old submarine movies- “PPiiiiiiiiiiiing”. The sound would go out and, on the sonar operator’s-screen, he would or would not see the other submarine. This is exactly how the ping-command in networking, works. Your sonar screen is your Cisco router’s command prompt. Usage of the ping command can be as simple as this:


As you can see in this example, I simply typed ping, and the IP address of the host I wanted to ping. In response, I got five exclamation points that told me that I sent 5 ping packets out, and they were all returned (a complete success).


In other words, a ping request is sent out to the remote device, and a ping response is received back, acknowledging the request. As ping uses the ICMP protocol, these packets are technically called ICMP echo request, and ICMP echo reply. ICMP is considered the management protocol for IP. ICMP uses the IP protocol but ICMP is not TCP, or UDP. ICMP does work at Layer 3.

Note that if the ping was not successful, you would have received one of the following (instead of an exclamation point): - “.” = network server timed out - “U” = destination unreachable - “Q” = source quench (destination too busy) - “M” = could not fragment - “?” = unknown packet type - “&” = packet lifetime exceeded Besides the five exclamation points, I was also told that I was sending “5, 100-byte ICMP echoes”. This means that I actually sent five “ping packets” of 100 bytes each. I was told that the timeout was 2 seconds. That means that if a response was not received within 2 seconds, ping would decide that the packet was not going to return at all. This is a safe assumption considering 2 seconds is 2000ms and I am getting pings back in about 36ms. Notice on the last line that the “Success rate is 100 percent”. That is because it says that I sent 5 pings and received 5 ping replies back (that is the “(5/5)”). I was told that the round-trip minimum time for a ping reply to return was 36ms, the average time (of all 5 pings) for a reply to return is 36ms, and the maximum time for a ping reply to return was 40ms. If you have DNS or a local hostname configured, you can use ping with names, like this:


You should know that there are many more types of ICMP traffic other than that used for “pinging” (echo and echo-reply). ICMP is used to redirect hosts to the proper router, to inform hosts that they need to resize their packets, and many types of IP management communications. Each of these types of ICMP packets has a type number (and optionally, a code number). For example, an ICMP echo is type 8. An echo-reply is a type 0. A redirect to another router for an entire network is a type 5, code 0 (with there being possible codes of 0-3). Finally, you can abbreviate ping by only typing “p”. For example: Router# p


What Else Can I Do With Ping?

Now that you understand the basics, let’s look at an advanced version of ping. Cisco calls this “extended ping”. Extended ping will ask you many questions and “interactively” configure the options for ping. If you have never seen this before, you may be surprised at how many options the ping command can have. Here is an example:


In typing ping, by itself, I was asked a list of questions. I have put a red arrow by each of the questions for which I typed a response. On other lines, I simply pressed Enter to take the default. In this example, I still ping-ed “Router3”. I stuck with the default of 5 ping packets (but could have changed it). I kept the default of a 100 byte ping packet but could have changed this to a ping packet as large as 18,024 bytes. Next, I chose to use the extended options, where I was able to choose the source interface of my ping packets. I also chose verbose output. With verbose output, I was able to see each reply to each ICMP echo that I sent, and the time it took for that reply to return to my router. One thing you may be surprised by, is the first question that asked what protocol you want to ping with. Yes, you can ping with protocols other than IP (such as Appletalk, DECnet, and IPX), but rarely are those protocols used anymore.


How Do I Allow Ping Through An IOS Access-list?

Because ICMP is not TCP or UDP, you must specify ICMP specifically when you create an access-list (ACL). Here is an example: access-list 101 permit icmp any any echo-reply In this ACL, we are permitting ICMP traffic from any source, and any destination, as long as it is a reply to an echo request. Many administrators enter the following ACL and expect ICMP to flow through it: access-list 101 permit ip any any This ACL does NOT allow ICMP traffic. To allow ICMP and IP, you need the following two entries in your ACL: access-list 101 permit ip any any access-list 101 permit icmp any any


In summary, the ping utility is invaluable when it comes to troubleshooting network issues. While just about everyone has “pinged” something at one point or another, most people don’t know that there is more to ping than the simple ping command. Extended ping on Cisco routers and switches is a very powerful troubleshooting utility. While the ping command does use the ICMP protocol, there is much more to ICMP than just “ping”. Finally, don’t forget to save yourself three keystrokes by abbreviating the ping command with “p”. Over the years, those keystrokes add up!


More Related Cisco Networking Tips:

Top Five Cisco IOS Commands Every Network Admin Should Know

How to Configure IPSEC Encryption with the Cisco IOS?

Configuring Local Username Database in Cisco IOS

Read more

Cisco: Wireless Networks Need to Catch up with Fixed Line

August 9 2012 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Wireless - Cisco Wireless AP


The explosion of smart devices means that enterprises can no longer fall back on Ethernetwireless-network-.jpg

As smart devices continue to proliferate, the nature of the network is changing, and organisations need to focus on making their wireless networks as fast, reliable and scalable as their fixed line networks, according to Cisco.


Recent research by the UK communications regulator Ofcom found that tablet ownership in the UK has jumped from two percent to 11 percent during the last 12 months, and every two in five adults now owns a smartphone. Meanwhile, Cisco survey data suggests that the average person will own 3.47 devices in 2015, and 6.58 devices in 2020.


With the explosion of smart devices putting massive pressure on wireless networks, businesses cannot afford to offer inadequate services, according to Sarah Eccleston, head of borderless networks for Cisco UK and Ireland.


Most enterprises already have “best efforts” wireless networks in place, which have typically been built for the convenience of employees moving around the office, or for guest access. This is fine, said Eccleston, as long as there is a fixed line network to fall back on.


“In a traditional world, if your wireless network wasn't performing reliably, you simply plugged in your Ethernet cable. But you can't plug an Ethernet cable into a tablet or smart device because it doesn't have an Ethernet port,” she said.


“The wireless network is becoming more and more relevant and can't just be a best efforts technology anymore.”


Eccleston said that pressure is being put on organisations to holistically improve their wireless networks so that employees, clients and visitors can get the same level of service on their smart mobile devices that they have become used to on their PCs and laptops using a wired connection.

The biggest challenge is making wireless networks as fast as fixed networks, she said. This is partly because the the number of mobile devices connected to a wireless network is constantly changing, whereas the number of connections on a fixed line network is restricted by the number of Ethernet ports.


The speed of connection over wireless networks can also be affected by the wireless client on the smartphone or tablet, which is often not as powerful as on a laptop, so the network has to compensate for devices connecting slowly.


Meanwhile, making wireless networks more reliable means removing radio frequency (RF) interference from electrical devices such as microwaves, video cameras and motion detectors; making them more scalable means building wireless LAN controllers that can support as many devices as a typical wired enterprise LAN.


Cisco has brought out several products to tackle these issues, such as the Aironet 3600 access point and its CleanAir technology, but Eccleston said there is still some way to go before the wireless network is good enough to replace fixed line. However, one important step towards the two becoming interchangeable is offering unified access.


“It's not really about having a LAN or having a wireless network any more, it's about providing access, and that access has to be just as good and just as secure, whether it's wired or wireless because of the plethora of mobile smart devices,” said Eccleston.


She said that IT departments used to have complete control of both the devices that employees were using, and of the applications running on those devices. Having lost control of both of those environments, as a result of the BYOD and cloud computing revolutions, they must now rely on the network for control.


“Unified access is about being able to know who's on your network, control what people can do when they're on that wireless network, and it's about being able to set that policy once. So regardless of the means of access of that person, that policy is set and enforced by the network.”

This means that whether an employee is accessing the corporate network using a laptop in the office with a wired Ethernet connection or using Wi-Fi in Starbucks via a VPN, the IT department has an equal amount of control and can feel confident that the enterprise's sensitive data is secured.


“It's a little bit about giving them visibility, and a little bit about giving them management, but it's also about giving IT back some control of their environment,” said Eccleston.


Providing fast, reliable and scalable access that enables people to use their own devices wherever they are, securely and effectively, is no longer just a “nice to have”. It has become central to the smooth running of any business, and not only employees but also customers and partners will expect to be able to connect seamlessly.


“If organisations don't improve their wireless capability then they can't really truly enable these devices for productivity, and that has all kinds of implications in terms of employee satisfaction, and the ability to recruit and retain younger talent,” concluded Eccleston.


---Written by Sophie Curtis from Techworld.com

More Cisco Reviews and Cisco News

Wireless Network: How to Configure Wireless Security?

Simple Ways to Secure Wireless Network


Read more

10 Commands You Need to Know When Using the Cisco IOS

August 6 2012 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

Preface: Becoming proficient with the Cisco IOS means learning some essential commands. This quick reference describes 10 commands you’ll need to rely on when handling various configuration and troubleshooting tasks.

The Cisco IOS provides thousands of commands, and configuring it can be challenging. Here are 10 commands you need to know, inside and out, when using the Cisco IOS.Cisco-IOS-Commands.JPG

#1: The “?”

It may seem entirely too obvious that you should know how to type ? to ask for help when using the Cisco IOS. However, the Cisco IOS is completely different from other operating systems when it comes to using the question mark (help key). As the IOS is a command-line operating system with thousands of possible commands and parameters, using the ? can save your day.


You can use the command in many ways. First, use it when you don’t know what command to type. For example, type ? at the command line for a list of all possible commands. You can also use ? when you don’t know what a command’s next parameter should be. For example, you might typeshow ip ? If the router requires no other parameters for the command, the router will offer CR as the only option. Finally, use ? to see all commands that start with a particular letter. For example,show c? will return a list of commands that start with the letter c.


#2: show running-configuration

The show running-config command shows the router, switch, or firewall’s current configuration. The running-configuration is the config that is in the router’s memory. You change this config when you make changes to the router. Keep in mind that config is not saved until you do a copy running-configuration startup-configuration. This command can be abbreviated sh run.


#3: copy running-configuration startup-configuration

This command will save the configuration that is currently being modified (in RAM), also known as the running-configuration, to the nonvolatile RAM (NVRAM). If the power is lost, the NVRAM will preserve this configuration. In other words, if you edit the router’s configuration, don’t use this command and reboot the router–those changes will be lost. This command can be abbreviatedcopy run start. The copy command can also be used to copy the running or startup configuration from the router to a TFTP server in case something happens to the router.


#4: show interface

The show interface command displays the status of the router’s interfaces. Among other things, this output provides the following:

  • Interface status (up/down)
  • Protocol status on the interface
  • Utilization
  • Errors
  • MTU

This command is essential for troubleshooting a router or switch. It can also be used by specifying a certain interface, like shint fa0/0.


#5: show ip interface

Even more popular than show interface are show ip interface and show ip interface brief. Theshow ip interface command provides tons of useful information about the configuration and status of the IP protocol and its services, on all interfaces. The show ip interface brief command provides a quick status of the interfaces on the router, including their IP address, Layer 2 status, and Layer 3 status.


#6: config terminal, enable, interface, and router

Cisco routers have different modes where only certain things can be shown or certain things can be changed. Being able to move between these modes is critical to successfully configuring the router.


For example, when logging in, you start off at the user mode (where the prompt looks like >). From there, you type enable to move to privileged mode (where the prompt looks like #). In privileged mode, you can show anything but not make changes. Next, type config terminal (or config t) to go to global configuration mode (where the prompt looks like router(config)# ). From here, you can change global parameters. To change a parameter on an interface (like the IP address), go to interface configuration mode with the interface command (where the prompt looks like router(config-if)#). Also from the global configuration mode, you can go into router configuration using the router {protocol} command. To exit from a mode, type exit.


#7: no shutdown

The no shutdown command enables an interface (brings it up). This command must be used in interface configuration mode. It is useful for new interfaces and for troubleshooting. When you’re having trouble with an interface, you may want to try a shut and no shut. Of course, to bring the interface down, reverse the command and just say shutdown. This command can be abbreviatedno shut.


#8: show ip route

The show ip route command is used to show the router’s routing table. This is the list of all networks that the router can reach, their metric (the router’s preference for them), and how to get there. This command can be abbreviated shipro and can have parameters after it, like shiproospffor all OSPF routers. To clear the routing table of all routes, you do clear ip route *. To clear it of just one route, do clear ip route for clearing out that particular network.


#9: show version

The show version command gives you the router’s configuration register (essentially, the router’s firmware settings for booting up), the last time the router was booted, the version of the IOS, the name of the IOS file, the model of the router, and the router’s amount of RAM and Flash. This command can be abbreviated shver.


#10: debug

The debug command has many options and does not work by itself. It provides detailed debugging output on a certain application, protocol, or service. For example, debug ip route will tell you every time a router is added to or removed from the router.


More Cisco IOS Commands Tips:

Top Five Cisco IOS Commands Every Network Admin Should Know

How to Configure IPSEC Encryption with the Cisco IOS?

Configuring Local Username Database in Cisco IOS

Read more